SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_104 (Back to overview)

Unidentified 104

There is no description at this point.

References
2023-05-31Twitter (@jaydinbas)Johann Aydinbas
@online{aydinbas:20230531:about:19b2edc, author = {Johann Aydinbas}, title = {{Tweet about C++ payload delivered via ISO}}, date = {2023-05-31}, organization = {Twitter (@jaydinbas)}, url = {https://twitter.com/jaydinbas/status/1663916211975987201}, language = {English}, urldate = {2023-06-01} } Tweet about C++ payload delivered via ISO
Unidentified 104
Yara Rules
[TLP:WHITE] win_unidentified_104_auto (20230715 | Detects win.unidentified_104.)
rule win_unidentified_104_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.unidentified_104."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_104"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bd7 488bcb e8???????? 488b5c2450 488b6c2458 488b742460 4883c440 }
            // n = 7, score = 100
            //   488bd7               | dec                 eax
            //   488bcb               | add                 edx, eax
            //   e8????????           |                     
            //   488b5c2450           | dec                 esp
            //   488b6c2458           | xor                 eax, edx
            //   488b742460           | dec                 eax
            //   4883c440             | mov                 dword ptr [esp + 8], edx

        $sequence_1 = { 4c03d6 4c89542420 488b542408 4933ca 4c8bd1 49c1ea3f 488d0409 }
            // n = 7, score = 100
            //   4c03d6               | dec                 ecx
            //   4c89542420           | xor                 edi, edx
            //   488b542408           | dec                 eax
            //   4933ca               | mov                 ecx, edi
            //   4c8bd1               | dec                 eax
            //   49c1ea3f             | shr                 edi, 0x18
            //   488d0409             | dec                 eax

        $sequence_2 = { 48897e10 48897e18 0f1000 0f1106 0f104810 0f114e10 48897810 }
            // n = 7, score = 100
            //   48897e10             | mov                 edi, 0x8000
            //   48897e18             | dec                 eax
            //   0f1000               | arpl                word ptr [edx + 0xc], dx
            //   0f1106               | dec                 ecx
            //   0f104810             | add                 edx, eax
            //   0f114e10             | dec                 esp
            //   48897810             | lea                 eax, [0xffff9808]

        $sequence_3 = { 4883ec20 488b5118 488bd9 4883fa10 7239 4c8b01 48ffc2 }
            // n = 7, score = 100
            //   4883ec20             | mov                 ecx, esi
            //   488b5118             | dec                 eax
            //   488bd9               | shl                 ecx, 5
            //   4883fa10             | dec                 eax
            //   7239                 | mov                 dword ptr [esp + 0x78], esi
            //   4c8b01               | dec                 eax
            //   48ffc2               | cmp                 ecx, 0x1000

        $sequence_4 = { 48c1ea3f 488d0409 4833d0 498d0410 4803d8 4c33cb 4d8bc1 }
            // n = 7, score = 100
            //   48c1ea3f             | dec                 eax
            //   488d0409             | mov                 edx, dword ptr [ebp + 0x20]
            //   4833d0               | dec                 eax
            //   498d0410             | lea                 edx, [ebp + 0x10]
            //   4803d8               | dec                 eax
            //   4c33cb               | lea                 ecx, [esp + 0x70]
            //   4d8bc1               | dec                 esp

        $sequence_5 = { 4933d8 4c03cb 4933c9 4c894c2410 4c8be1 49c1ec3f 488d0409 }
            // n = 7, score = 100
            //   4933d8               | dec                 eax
            //   4c03cb               | shr                 edx, 0x18
            //   4933c9               | dec                 eax
            //   4c894c2410           | shl                 ecx, 0x28
            //   4c8be1               | dec                 eax
            //   49c1ec3f             | xor                 ecx, edx
            //   488d0409             | dec                 eax

        $sequence_6 = { 483bc1 767a ebbe ff15???????? cc 4885c9 }
            // n = 6, score = 100
            //   483bc1               | mov                 byte ptr [ebx], bh
            //   767a                 | jmp                 0xd04
            //   ebbe                 | dec                 ecx
            //   ff15????????         |                     
            //   cc                   | mov                 edx, esp
            //   4885c9               | dec                 eax

        $sequence_7 = { e8???????? 33c0 4883c420 5b c3 8bd3 488bc8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33c0                 | add                 edi, ecx
            //   4883c420             | inc                 ecx
            //   5b                   | xor                 edx, edi
            //   c3                   | mov                 ebx, edx
            //   8bd3                 | mov                 ecx, eax
            //   488bc8               | shr                 ecx, 0x1e

        $sequence_8 = { 488b5c2418 4803d1 41897f14 488b7c2430 4589570c 488d8a00000001 45897710 }
            // n = 7, score = 100
            //   488b5c2418           | dec                 eax
            //   4803d1               | sub                 edi, eax
            //   41897f14             | dec                 eax
            //   488b7c2430           | lea                 eax, [ebp - 0x49]
            //   4589570c             | dec                 eax
            //   488d8a00000001       | sub                 ebx, eax
            //   45897710             | dec                 eax

        $sequence_9 = { 4803d3 e8???????? b801000000 eb02 33c0 }
            // n = 5, score = 100
            //   4803d3               | and                 al, 0xf
            //   e8????????           |                     
            //   b801000000           | inc                 esp
            //   eb02                 | mov                 byte ptr [ecx + 2], al
            //   33c0                 | inc                 ecx

    condition:
        7 of them and filesize < 263168
}
Download all Yara Rules